Need a real DMZ zone

Discussion in 'Tomato Firmware' started by esaym, Dec 10, 2008.

  1. esaym

    esaym LI Guru Member

    I have been running an old computer as my network gateway (smoothwall) for about 6 years now. I have finally decided to try and get with the times and replace it with a wrt54gl that I have with tomato firmware.

    My first issue is that I use smoothwall because of the transparent squid webcache. It looks like I should be able to use iptables and iproute to redirect all web traffic to a server on my lan that I will install squid on. So I don't think that will be a problem.

    The next issue is that I have to have my server on a dmz. It looks like making a vlan on a different subnet should be possible:
    But I will also need to be able to port forward external traffic to the server on the dmz and I also need a firewall in place between the dmz network and local lan. Will the webgui be able to do that port forwarding or will I have to just use cli through ssh?

    Next issue is I need QOS for everything behind the wrt54gl. To my knowledge the qos with tomato does not see any extra vlans if added?
  2. esaym

    esaym LI Guru Member

    Ok I have gotten somewhere. I looks like the QOS is only on the wan interface so that is good.

    I managed to get the vlans set up for a real dmz:

    nvram set vlan0ports="2 1 0 5*"
    nvram set vlan2hwname=et0
    nvram set vlan2ports="3 5"
    nvram set manual_boot_nv=1
    nvram commit

    (please note that switch port number are different for every model)

    Then once it reboots you got to bring up the new interface and set iptables to allow what you want:

    ifconfig vlan2 netmask
    iptables -I FORWARD -i vlan1 -o vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
    iptables -I INPUT -i vlan2 -j ACCEPT
    iptables -I INPUT -i vlan1 -j ACCEPT

    That seems to be a good start. I can still access the webgui on the vlan0 so I need to figure out what iptables rules to disallow that. vlan0 can access vlan2 but not vise versa, which is what I want. And vlan2 can get to the internet.
  3. udippel

    udippel Addicted to LI Member

    esaym, yes!!

    It is my only gripe with Tomato. It is not a router, as long as there is a joke of a DMZ. The rules should be rather obvious as soon as I can make out how to set up the three different networks: WAN, LAN, DMZ.
    I looked at the architecture, and it seems WRT54G uses 2 eth, one for WiFi and one for vlan0 and vlan1 (switch and WAN); something like alias or tags.
    I for one can do away with wired links on the LAN. So for me, WiFi and its associated eth can do as Trusted LAN, and the 4 ports switch can go as DMZ. Effectively, that would be supported by the hardware in principle. Once I have some time, I might drop some rules into the router to check if it works. Half-heartedly, though, because I wouldn't want to kind of overrule the web-based configuration; or being overruled by it. Therefore I hope to get the author's cooperation for a revamped DMZ setup that allows to create quite another network for the DMZ.

  4. esaym

    esaym LI Guru Member

    Another issue I came across is CONFIG_IP_ADVANCED_ROUTER is not configed for the kernel so I am not going to be able to re route my squid requests like I had hoped because
    ip rule add fwmark 3 table 2
    spits out
    RTNETLINK answers: Invalid argument

    I might have to look into recompiling
  5. roadkill

    roadkill Super Moderator Staff Member Member

    try one of the mods
  6. esaym

    esaym LI Guru Member

    Yes to route by fwmark you have to have


    In the kernel. The few mods that I grabbed the source for did not.

    But alas, after many hours of work I custom built my own:
  7. esaym

    esaym LI Guru Member

    Hmm yea the next issue is with the web gui for the port forwarding. For some strange reason is does SNAT on the forwarded ports, matching only the netmask on normal lan, vlan0. So therefore port forwarding to the dmz on a different network doesn't work.

    I don't know why snat was used, smoothwall doesn't do it like that and niether does this howto
    However using only DNAT + FORWARD doesn't work :(

    If you disable the nat loopback feature under advanced / firewall this does away with the SNAT and port forwarding works right :)
  8. esaym

    esaym LI Guru Member

    This is what I added to the firewall script to allow the new dmz to talk to the internet and allow the lan to talk to it (basically this inserts a firewall between the lan and dmz)

    #allow wan to dmz
    iptables -I FORWARD 1 -m state --state ESTABLISHED,RELATED -i vlan2 -o vlan1 -j ACCEPT
    iptables -I FORWARD 2 -m state --state ESTABLISHED,RELATED -i vlan1 -o vlan2 -j ACCEPT
    iptables -I FORWARD 3 -m state --state NEW -i vlan2 -o vlan1 -j ACCEPT
    #create chain for dmzpinholes
    iptables -N dmzholes
    iptables -I FORWARD 1 -i vlan2 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -I FORWARD 2 -i br0 -o vlan2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    #send a new connection trying to talk to lan to dmzholes chain
    iptables -I FORWARD 3 -i vlan2 -o br0 -j dmzholes
    #allow dhcp on wan to stop annoying logging
    iptables -I INPUT -p tcp --source-port 67 --destination-port 68 -i vlan1 -j ACCEPT
    iptables -I INPUT -p tcp --source-port 68 --destination-port 67 -i vlan1 -j ACCEPT
    iptables -I INPUT -p udp --source-port 67 --destination-port 68 -i vlan1 -j ACCEPT
    iptables -I INPUT -p udp --source-port 68 --destination-port 67 -i vlan1 -j ACCEPT
    #dmz can ping the dmz interface
    iptables -I INPUT 1 -i vlan2 -p icmp -d -j ACCEPT
    #drop invalid ips coming on on wan
    iptables -t nat -I PREROUTING -i vlan1 -d -j DROP
    #forwarded dmz ports on udp for a voip phone on the lan
    iptables -I dmzholes -m state --state NEW -p udp -i vlan2 -o br0 -s -d --dport 5060 -j ACCEPT
    iptables -I dmzholes -m state --state NEW -p udp -i vlan2 -o br0 -s -d --dport 5004 -j ACCEPT
    iptables -I dmzholes -m state --state NEW -p udp -i vlan2 -o br0 -s -d --dport 5005 -j ACCEPT
    add this to the wan up scripts to create dmz interface on startup:
  9. gsan

    gsan LI Guru Member

    what I need to do if I want to set DMZ for (PC A) and (PC C)? the reason is because I wanna use free vpn, hotspot shield on both PC A & PC C. I realize that I'm facing difficulty to connect the vpn without enable DMZ.

    here is some info regarding my network. - ip for belkin adsl modem - ip for asus wl500gp router

    both subnet mask -
  10. Hi esaym.

    I am brand new to the board but have been using the info available with much success.

    Your post regarding a DMZ on a different subnet as with Smoothwall certainly raised my interest and is one of the main reasons I have not retired my Smoothy as I have a mail server hanging on the orange network.

    I was wondering if you got your Tomato router modded to your satisfaction and if you did could you spend a little time documenting the steps needed to create this ideal router device?

    I am sure I am not the only user who would be interested in a solution as you are developing.

    Thanks in advance.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice